MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1
SHA3-384 hash: 1fa21954c1f58dd10183b80f71e128dc7152132d1110d2faf5f2dce6982c04ae72893ab57c9bfc18b1dd120a0bac30e1
SHA1 hash: 651622388600efdc8e6ee4a92df6981d3881e5e9
MD5 hash: a11d1c066d6bd8e35bec3f985649e112
humanhash: oklahoma-sierra-ten-king
File name:WR0Z3N.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:156'672 bytes
First seen:2021-07-28 15:52:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:nxdifoVqWb2t3SLXMUthlUbf6cLRcJyXBq77TS1Vyzaw30qA/cimkd8TfnDItLqz:TMoVtb+37UP6jbK8q7PvJTLli1tq
Threatray 43 similar samples on MalwareBazaar
TLSH T181E39E6B51C80291E28A7A7CDF5EA7B3E195F5BB0A85A108333FC5F6F36658AC101343
Reporter malware_traffic
Tags:bazacall BazaLoader BazarCall BazarLoader dll


Avatar
malware_traffic
Run method: rundll32 [filename],GlobalOut

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WR0Z3N.dll
Verdict:
Malicious activity
Analysis date:
2021-07-28 15:49:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/721d8959-a034-44d5-b486-0fcd5ae553a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174714/
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ebc18782-2200-44a8-b812-5ee0639e9a1b
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/823208
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455614 Sample: WR0Z3N.dll Startdate: 28/07/2021 Architecture: WINDOWS Score: 96 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Detected Bazar Loader 2->32 34 Sigma detected: Suspicious Svchost Process 2->34 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        17 rundll32.exe 8->17         started        signatures5 19 rundll32.exe 15 12->19         started        44 Contains functionality to inject code into remote processes 14->44 process6 dnsIp7 26 195.123.233.106, 443, 49716 GREENFLOID-ASUA Bulgaria 19->26 36 System process connects to network (likely due to code injection or exploit) 19->36 38 Sets debug register (to hijack the execution of another thread) 19->38 40 Writes to foreign memory regions 19->40 42 4 other signatures 19->42 23 svchost.exe 14 19->23         started        signatures8 process9 dnsIp10 28 13.52.241.196, 443, 49721, 49724 AMAZON-02US United States 23->28
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4arbc7d2oac5ot4phc4ncx4b7xignmvzww2rx22yaxptol5fliq._file
Verdict:
suspicious
Similar samples:
24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9
BazaLoader
5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d
BazaLoader
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
BazaLoader
8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
cca0563ae1aac9447ba5e3f73cafc63a21671e478dc198695db6c698a2a17d2b
BazaLoader
e04c5bfeda44a81b6c820bf89515ab98bce767728c34919bed27a2767926a514
BazaLoader
+ 33 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor suricata
Link:
https://tria.ge/reports/210728-zz3bh43gsn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Backdoor payload
BazarBackdoor
suricata: ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)
Unpacked files
SH256 hash:
a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1
MD5 hash:
a11d1c066d6bd8e35bec3f985649e112
SHA1 hash:
651622388600efdc8e6ee4a92df6981d3881e5e9
Link:
https://www.unpac.me/results/68c986df-9ffa-4b9d-a8c9-380753bb9c04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174714/

Comments